Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat11 for openSUSE:Factory checked in at 2026-04-14 17:49:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat11 (Old) and /work/SRC/openSUSE:Factory/.tomcat11.new.21863 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat11" Tue Apr 14 17:49:08 2026 rev:11 rq:1346747 version:11.0.21 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat11/tomcat11.changes 2026-03-07 20:14:23.198928191 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat11.new.21863/tomcat11.changes 2026-04-14 17:49:42.078966598 +0200 @@ -1,0 +2,132 @@ +Mon Apr 13 11:28:15 UTC 2026 - Ricardo Mestre <[email protected]> + +- Update to Tomcat 11.0.21 + - adapt tomcat-jdt.patch + * Fixed CVEs: + + CVE-2026-24880: Request smuggling via invalid chunk extension + (bsc#1261850) + + CVE-2026-25854: Occasionally open redirect (bsc#1261851) + + CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852) + + CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is + disabled (bsc#1261853) + + CVE-2026-29146: EncryptInterceptor vulnerable to padding oracle attack by + default (bsc#1261854) + + CVE-2026-32990: The fix for CVE-2025-66614 was incomplete + + CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855) + + CVE-2026-34486: Fix for CVE-2026-29146 allowed bypass of + EncryptInterceptor (bsc#1261854) + + CVE-2026-34487: Cloud membership for clustering component exposed the + Kubernetes bearer token (bsc#1261856) + + CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when + soft-fail is disabled (bsc#1261857) + * Catalina + + Fix: Add escaping for URI and query string in the access log. (markt) + + Fix: 69967: Fix inconsistencies related to Content-Length and Content-Type + headers when accessed using the getHeader method and similar. (remm) + + Fix: 69940: Improve redirect handling in the LoadBalancerDrainingValve. + (schultz) + * Cluster + + Fix: Reduce log verbosity of the Kubernetes connection attempts and + failure. (remm) + + Fix: Better error handling for the EncryptInterceptor. (markt) + + Fix: 69970: Support raw IPv6 in Kubernetes membership provider for the + service host. (remm) + + Add: Add support for new algorithms provided by JPA providers to the + EncyptInterceptor. (markt) + * Coyote + + Fix: Fix an HTTP/2 header frame parsing bug that could result in a + connection being closed without a GOAWAY frame if an invalid HEADERS frame + was received. (markt) + + Fix: 69982: Fix a bug in the non-blocking flushing code for NIO+TLS that + meant that a response may not be fully written until the connection is + closed. Pull request #966 provided by Phil Clay. (markt) + + Fix: Ensure the HTTP/2 request header read buffer is reset (including + restoration to default size) after a stream reset. (markt) + + Add: Provide trailer field filtering equivalent to that provided for + non-trailer fields. Control characters (excluding TAB), and characters + with code points above 255 will be replaced with a space. (markt) + + Fix: Align OpenSSl FFM behaviour with Tomcat Native for various OCSP edge + cases. (markt) + + Fix: Fix case sensitive handling of the protocol host name. (remm) + + Add: Add an HTTP configuration setting, noCompressionEncodings, that can + be used to control which content encodings will not be compressed when + compression is enabled. Based on pull request #914 by Long9725. (markt) + + Fix: Add size limit for OCSP responses. Based on code submitted by Chenjp. + (remm) + + Fix: To maintain the documented alignment with the OpenSSL development + branch, the use of the aliases SSLv3, EXPORT, EXPORT40, EXPORT56, KRB5, + kFZA, aFZA, eFZA and FZA are no longer supported when setting the ciphers + attribute of an SSLHostConfig element. (markt) + + Fix: To maintain the documented alignment with the OpenSSL development + branch, add support for the aliases ARIAGCM and CBCwhen setting the + ciphers attribute of an SSLHostConfig element. (markt) + + Add: 69870: Add a drainTimeout to the HTTP/2 UpgradeProtocol element to + allow configuration of an time between the two final GOAWAY frames sent by + Tomcat when closing am HTTP/2 connection. Pull request #917 provided by + Kai Burjack. (markt) + + Update: Update the minimum recommended version of Tomcat Native so that + users of 1.3.x are recommended to update to 2.0.x. (markt) + + Fix: Respect the value for the jdk.tls.namedGroups system property as the + default value for the configured group list on the Connector. (remm) + + Fix: 69964: Respect the configured cipher order, which was no longer + respected following the addition of TLS 1.3 specific cipher configuration. + TLS 1.3 ciphers will always be first in the list. (remm) + + Fix: Free the x509 object in the FFM code when getting the peer + certificate if getting the bytes from the certificate somehow fails. Pull + request #951 provided by Chenjp. (remm) + + Fix: Improve HPACK exception use, making sure HpackException is thrown + instead of unexpected types. (remm) + + Fix: Update the parser for the HTTP Host header and :authority pseudo + header to convert the port, if any, to an Integer rather than a Long to be + consistent with how port is exposed in the Servlet API. (markt) + + Add: To aid the migration from the single ciphers configuration attribute + to the use of ciphers and cipherSuites, TLS 1.3 cipher suites listed in + the ciphers attribute will be removed from the ciphers attribute and added + to the end of the cipherSuites attribute. This behaviour will be removed + in Tomcat 12.0.x onwards. (markt) + + Code: Replace the external OpenSSL based OCSP responder used during unit + tests with a Bouncy Castle based, in-process Java OCSP responder. (markt) + + Fix: Relax HTTP/2 header validation and respond to invalid requests with a + stream reset or a 400 response as appropriate rather then with a + connection reset. (markt) + + Fix: Add validation of chunk extensions for chunked transfer encoding. + (markt) + + Update: Update the recommended version for Tomcat Native 2.x to 2.0.14. + (markt) + + Fix: Align the FFM handling of OCSP TRY_LATER responses with Tomcat + Native. (remm) + + Fix: Free CA certificate after calling SSL_CTX_add_client_CA in the FFM + code. Based on code from PR 44 from tomcat-native. (remm) + + Fix: Free certificate chain if an error occurs, in the FFM code. (remm) + + Fix: Report handshake issues as SSLException in the FFM code, rather than + IllegalStateException. (remm) + * Jasper + + Fix: 69948: Avoid ArrayOutOfBoundsException instead of + PropertyNotFoundException when generating a properties not found exception + in AstValue. Based on #950 submitted by Jérôme Besnard. (remm) + + Add: Add support for specifying Java 27 (with the value 27) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will be used. (markt) + * Web applications + + Add: 69931: Add <label> for fields in the HTML manager application. Patch + provided by yukitidev. (schultz) + * Websocket + + Fix: 69972: Remove unwanted space in DIGEST authorization header. Patch + submitted by Stefan Kalscheuer in #957. (remm) + * Other + + Update: Update bnd to 7.2.3. (markt) + + Update: Improvements to French translations. (remm) + + Update: Improvements to Japanese translations provided by tak7iji. (markt) + + Update: Update the internal fork of Apache Commons BCEL to 6.12.0. (markt) + + Update: Update to the Eclipse JDT compiler 4.39. (markt) + + Update: Update Tomcat Native to 2.0.14. (markt) + + Update: Update Objenesis to 3.5. (markt) + + Update: Update Byte Buddy to 1.18.7. (markt) + + Update: Update BND to 7.2.1. (markt) + + Update: Improvements to French translations. (remm) + + Update: Improvements to Chinese translations provided by eaststrongox. + (markt) + + Update: Improvements to Japanese translations provided by tak7iji. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-11.0.18-src.tar.gz apache-tomcat-11.0.18-src.tar.gz.asc New: ---- apache-tomcat-11.0.21-src.tar.gz apache-tomcat-11.0.21-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat11.spec ++++++ --- /var/tmp/diff_new_pack.ZIl4uq/_old 2026-04-14 17:49:43.511025791 +0200 +++ /var/tmp/diff_new_pack.ZIl4uq/_new 2026-04-14 17:49:43.515025956 +0200 @@ -1,7 +1,7 @@ # # spec file for package tomcat11 # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2025-2026 SUSE LLC and contributors # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 11 %define minor_version 0 -%define micro_version 18 +%define micro_version 21 %define java_major 1 %define java_minor 17 %define java_version %{java_major}.%{java_minor} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.ZIl4uq/_old 2026-04-14 17:49:43.575028436 +0200 +++ /var/tmp/diff_new_pack.ZIl4uq/_new 2026-04-14 17:49:43.579028602 +0200 @@ -1,6 +1,6 @@ -mtime: 1772824532 -commit: 72f1ff60b47b3997fc20acbff9a571a22d8b7a91d305c3a21e7ae46cc8219590 +mtime: 1776086528 +commit: 84444d5529ba2e95551bc530cbebf0b02991b0ae477b4e500fbfa2de98e80858 url: https://src.opensuse.org/java-packages/tomcat11.git -revision: 72f1ff60b47b3997fc20acbff9a571a22d8b7a91d305c3a21e7ae46cc8219590 +revision: 84444d5529ba2e95551bc530cbebf0b02991b0ae477b4e500fbfa2de98e80858 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-11.0.18-src.tar.gz -> apache-tomcat-11.0.21-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat11/apache-tomcat-11.0.18-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat11.new.21863/apache-tomcat-11.0.21-src.tar.gz differ: char 13, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-13 15:22:42.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ tomcat-jdt.patch ++++++ --- /var/tmp/diff_new_pack.ZIl4uq/_old 2026-04-14 17:49:43.807038027 +0200 +++ /var/tmp/diff_new_pack.ZIl4uq/_new 2026-04-14 17:49:43.811038191 +0200 @@ -36,8 +36,8 @@ } else if (opt.equals("26")) { // Constant not available in latest ECJ version shipped with // Tomcat. May be supported in a snapshot build. -@@ -342,11 +342,11 @@ - settings.put(CompilerOptions.OPTION_Source, "26"); +@@ -347,11 +347,11 @@ + settings.put(CompilerOptions.OPTION_Source, "27"); } else { log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt)); - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17); @@ -50,7 +50,7 @@ } // Target JVM -@@ -396,35 +396,35 @@ +@@ -401,35 +401,35 @@ settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15); settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15); } else if (opt.equals("16")) { @@ -106,8 +106,8 @@ } else if (opt.equals("26")) { // Constant not available in latest ECJ version shipped with // Tomcat. May be supported in a snapshot build. -@@ -433,12 +433,12 @@ - settings.put(CompilerOptions.OPTION_Compliance, "26"); +@@ -444,12 +444,12 @@ + settings.put(CompilerOptions.OPTION_Compliance, "27"); } else { log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt)); - settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17);
